CVE-2019-16775— NPM npm CLI 后置链接漏洞

Unauthorized File Access in npm CLI before before version 6.13.3

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE-61

NPM npm CLI 后置链接漏洞

NPM npm CLI是美国NPM公司的一款软件包管理器。 npm CLI 6.13.3之前版本中存在后置链接漏洞。该漏洞源于网络系统或产品未正确过滤表示非预期资源的链接或者快捷方式的文件名。攻击者可利用该漏洞访问非法的文件路径。

N/A

N/A